Zero knowledge hosting and corporate compliance

Encryption rarely leaves the news these days. When we look back on this decade, I believe we will see the knife-edge compromise between privacy and oversight as one of the big, defining issues of the period. The most recent flare-up was the battle between the FBI and Apple over the iPhone ‘backdoor’ request, in which Apple successfully stood its ground against a demand that it argued would make consumers less safe. There is a lot more to be fought over, and the next battleground may well be ‘zero knowledge hosting’.

Zero knowledge hosting is the idea of using so-called ‘100% encryption’ to ensure that cloud hosting providers do not have access to client data stored on their servers. A host would therefore theoretically be unable to provide access to a client’s data on the request of a third party such as a national government. This is a very real possibility, with Werner Vogels, CTO of Amazon Web Services (AWS), recently stating that their intention is to move all of their customers to such a model, a process that has already been in the process for several years.

One might assume that zero knowledge hosting and compliance would be poor bed-fellows. After all, one involves knowing very little about your customer’s activities, the other demands knowing as much as possible. In actual fact, from a compliance perspective there are arguments both for and against such a hosting method.

Before we get into them, however, let’s first dispel one myth that has already come about as a result of sloppy reporting of the facts. Such services being provided by major cloud platforms does not create any new opportunity for nefarious web denizens; zero knowledge hosting simply refers to the relationship between a cloud provider and their clients and does not involve any new technology. Anybody who can afford to buy their own physical server and an internet connection can already host their own fully encrypted data, so a company like AWS offering the same possibility under contract has not in any way empowered criminal or immoral activity. Instead, it simply means that cloud hosting will be as secure as private hosting. Also, ‘zero knowledge’ purely refers to the data being held, not the identity of the customer. The major hosting providers will still know who the responsible person is for that data and will be able to share that information with relevant authorities if the need arises.

So how should the compliance professional respond? The knee-jerk reaction may be that reduced oversight capacity is always a bad thing, but given the understanding above, this starts to seem an overly-simplistic view. Those of us in the compliance industry know that transparency helps us to comply with our duties to avoid the proceeds of criminal activity, sniff-out money laundering, and crack down on the possibility of terrorist financing, but we also know that those are not the full sum of our duties. We also have a duty to ensure that we comply with data protection requirements, for example, and as new European regulations are rolled out we are under pressure to be more protective of that data than ever before. Enhanced security is welcomed in this area, so providing companies the flexibility benefits of cloud hosting as well as the benefits of 100% encryption should be seen as a positive.

Ultimately, for the compliance professional looking to support and advise a client looking to make use of such zero-knowledge hosting, it should not really impact upon our ability to do our job. The battle will revolve not around the user, in this case, but around the supplier. If you are a compliance professional representing a cloud hosting provider, there is a good chance that such providers will soon find themselves in the firing line in much the same way that Apple did. The debate will be whether it is right for such cloud providers to wash their hands of responsibility when the government asks for access to the data, which is ultimately what they are trying to achieve.

If and when that happens, there will be some significant differences between the hosting provider and Apple. One is simple clout – even Amazon wouldn’t be able to rally the same resources as Apple did if it were challenged to access data it had previously locked itself out of. Another difference is that it is easier for B2C companies to take the high ground in claiming they are defending consumers – it may ultimately still be the case with a B2B hosting provider, but that would be harder to explain. Finally, a company is never as a secure as a single phone, and it is less likely that law enforcement would ever have as much difficulty breaking a company’s server encryption as they would a single device, if only because there are more people and records involved for them to seize and place pressure upon before resorting to a hack.

Ultimately this question should be a headache for lawmakers more than compliance professionals, at least for now. If we are to offer good advice to clients, however, we really need to stay one step ahead of legislators and regulators to anticipate the next demand on businesses. In that context, zero knowledge hosting is something to keep an eye on in the current environment, particularly if it is a service you intend to offer.

Kerry Smith - Director, Compliance

Kerry is Boston Group’s Company Secretary with responsibility for risk management, corporate governance, professional indemnity insurance, and project management. She is also the Director responsible for Risk and Compliance and the Statutory team in Boston’s Isle of Man office. Kerry is also the MLRO and Data Protection Officer of the business, and has extensive experience in running projects including formulating a client portfolio-wide programme for registration and reporting in accordance with the requirements of the Foreign Account Tax Compliance Act and the Common Reporting Standards.

Boston Limited is licensed by the Isle of Man Financial Services Authority.
Boston Trust Limited is licensed by the Malta Financial Services Authority to provide trust and fiduciary services in terms of the Trusts and Trustees Act.